topic Re: Trying to determine min/max date/time for a list of ip addresses in Splunk Search

Trying to determine min/max date/time for a list of ip addresses

dbuckley669 — Mon, 18 Jan 2021 17:23:27 GMT

My search returns a table of a count of ip addresses that have hit our system in a given search period. I am trying to determine what the earliest time and most recent time was for each ip address.

index=myIndex host=mySrvr sourcetype=mysource | stats count by s_ipad, r_ip_country, |Fields s_ipad, r_ip_country. min(_time),max(_time) count | search count>=15 |sort -count

The table of data returns the top 15 ip address and country of origin, however the min(_time) and max(_time) are empty. Any help would be appreciated.

Thanks.

Re: Trying to determine min/max date/time for a list of ip addresses

saravanan90 — Mon, 18 Jan 2021 17:29:14 GMT

This may help...

index=myIndex host=mySrvr sourcetype=mysource | stats count,min(_time),max(_time) by s_ipad, r_ip_country | search count>=15 |sort -count

Re: Trying to determine min/max date/time for a list of ip addresses

dbuckley669 — Mon, 18 Jan 2021 17:48:19 GMT

Search query worked perfect. Thank you.

Re: Trying to determine min/max date/time for a list of ip addresses

Taruchit — Wed, 15 Sep 2021 08:51:05 GMT

Hello Sir,

Based on the topic, I am trying to fetch the first time and the last time an error occurred in application logs, and thus used following query: -

index="dummy" (search condition) |rex ...(?<error>.*?)...|stats count, min(_time), max(_time) by error

I got for columns in results: error, count, min(_time) and max(_time).

However, in column min(_time) and max(_time) I am getting values like: -
1631484056.103, 1631501959.541 respectively.

Thus, I need your help to convert results of the two columns in readable format.

Thank you